Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-36934SQL Injection in Moveit Transfer

CWE-89SQL Injection6 documents6 sources
Severity
9.1CRITICALNVD
EPSS
91.2%
top 0.35%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Progress Moveit Transfer
Timeline
PublishedJul 5
Latest updateOct 4

Description

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit databa

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

NVDprogress/moveit_transfer13.0.013.0.9+5

Patches

Patch: community.progress.comPatch: community.progress.com

🔴Vulnerability Details

3
CVEList
CVE-2023-36934: In Progress MOVEit Transfer before 20202023-07-05
GHSA
GHSA-xv78-4qjf-hjxf: In Progress MOVEit Transfer before 20202023-07-05
VulnCheck
Progress MOVEit Transfer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')2023

💥Exploits & PoCs

1
Nuclei
MOVEit Transfer - SQL Injection

🕵️Threat Intelligence

1
Unit42
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)2023-10-04
CVE-2023-36934 — SQL Injection in Moveit Transfer | cvebase